Australia’s data privacy laws come into force as providers struggle with data management
An amendment to Australia’s Privacy Act, the biggest overhaul to the country’s data privacy policies in 25 years comes into effect Wednesday and is expected to have a big impact on cloud and communications service providers, and indeed any firm collecting, processing or storing personal information.
The law takes effect as service providers continue to struggle with data privacy breaches.
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 was introduced as an amendment to the Privacy Act 1988, an Australian law which regulates the handling of personal information about individuals. This includes 13 Australian Privacy Principles (APPs) guiding the collection, use, storage and disclosure of personal information, and access to and correction of that information.
It extends to Australian companies as well as foreign companies operating in the Australian market.
The amendment gives new powers to the Office of the Australian Information Commissioner (OAIC) to monitor how companies comply with the policy, which includes making sure companies are investing in new IT systems and staff training, and ensuring privacy complaints are handled in a timely, effective manner.
The legislation will affect all Australia-based organisations that store any personal data about their customers, including cloud and communications service providers. Businesses need to make explicitly clear whether that data is stored or processed outside of Australia, and all suppliers involved with that process – whether in or outside Australia – need to comply with those same policies.
A director working at a global cloud service provider headquartered in the western United States who preferred to remain anonymous told Business Cloud News that the amendments won’t significantly impact the processes related to data management. But he said it will change how global service providers operate, particularly when their services are outsourced through third parties or subsidiaries.
“It will add a new dimension to the audits and parameters we place on partners and third parties in the region for sure,” he said.
“But the interesting thing is what this does with liability. The amendment makes clear that in the event of a privacy complaint or breach of the principles, even if it was, say, the US subsidiary or home office’s fault, legal fault still lies with the Australian company. Or if it’s a US company operating there, it needs to comply [with the principles] and can be penalised if it doesn’t.”
“I think it’s really about hitting [legitimate concerns over privacy] home while tying up loose ends legally.”
The loose end here is judicial redress, which is at the heart of a dispute between the US and the European Union taking place against the backdrop of the EU’s own data protection reform efforts and the fallout from last summer’s PRISM-related revelations.
There is currently no judicial redress for EU citizens whose personal data has been transferred to the US by a service provider and who believe on the basis of European law that their privacy rights have been violated; the amendment to the Australian law, by more clearly allocating liability, avoids this pitfall.
Meanwhile, Members of European Parliament today successfully passed a resolution that could see the suspension of the US Safe Harbour agreement government information sharing between organisations operating in the US and European States.
Another key aspect bolstered by the amendment is the OAIC’s enhanced ability to seek steep civil penalties in cases of serious or repeated data breaches, an element some found wanting in a case that concluded Tuesday which saw Australian telco Telstra ordered to pay AU$10,200 after it was found to have compromised names, phone numbers and addresses of approximately 15,775 of its customers.
The fine was handed down because Telstra failed to comply with security guidelines it intended to set in place after a 2011 breach that saw the telco haemorrhage personal information of over 700,000 customers.
“The biggest scandal here in my opinion isn’t that Telstra or a third party may have misused their software platform or that it might be insecure,” Laurent Lachal, senior analyst within Ovum’s software group told Business Cloud News.
“It was how little the telco was fined after leaking such a vast amount of private information. For ten thousand dollars am I going to bother hiring the consultants and invest in the right security vendors? All of that will probably cost more than what the company was fined…”
Under the amendment the OAIC will be able to hand out fines of up to $1.7m for any organisation found to be in breach of the Act. In Europe for instance, if the current data protection reforms are adopted, fines could reach up to 5 per cent of a company’s global annual turnover.
“The new fines will certainly make service providers stand up and do something about it,” Lachal said.